Skip to content

Commit 0f17ebd

Browse files
Merge branch 'main' into patch-8
2 parents 06158f8 + 3b10047 commit 0f17ebd

40 files changed

Lines changed: 1112 additions & 1692 deletions

autopilot/includes/deregister-autopilot-device.md

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
ms.topic: include
3-
ms.date: 06/13/2025
3+
ms.date: 02/27/2026
44
---
55

66
<!-- This file is shared by the following articles:
@@ -16,7 +16,7 @@ Below we describe the steps an admin would go through to deregister a device fro
1616

1717
### Delete from Intune
1818

19-
Before a device is deregistered from Windows Autopilot, it first has to be deleted from Intune. To delete an Windows Autopilot device from Intune:
19+
Before a device is deregistered from Windows Autopilot, it first has to be deleted from Intune. To delete a Windows Autopilot device from Intune:
2020

2121
1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2222

@@ -34,7 +34,7 @@ Before a device is deregistered from Windows Autopilot, it first has to be delet
3434

3535
### Deregister from Windows Autopilot using Intune
3636

37-
Once the device is deleted from Intune, it can then be deregistered from Windows Autopilot. To deregister a device from Windows Autopilot:
37+
Once the device is deleted from Intune, it can then be deregistered from Windows Autopilot. This process includes required cleanup steps in Intune and Microsoft Entra ID to prevent orphaned or unrecoverable devices. To deregister a device from Windows Autopilot:
3838

3939
1. Make sure the device is deleted from Intune as described in the [Delete from Intune](#delete-from-intune) section.
4040

@@ -67,11 +67,24 @@ Once the device is deleted from Intune, it can then be deregistered from Windows
6767

6868
> [!IMPORTANT]
6969
>
70-
> - For Microsoft Entra join devices, no additional steps are necessary to remove the device from Intune and Windows Autopilot. Unneeded steps include manually deleting the device from Microsoft Entra ID. Manually deleting the device from Microsoft Entra ID might cause unexpected problems, issues, and behavior. If needed, the device will be automatically removed from Microsoft Entra ID after these steps are followed.
70+
> - For Microsoft Entra joined devices, no additional steps are required after deregistering the device from Windows Autopilot using Intune. Avoid manually deleting the device from Microsoft Entra ID, as this can cause unexpected issues.
7171
>
72-
> - For Microsoft Entra hybrid join devices, delete the computer object from the on-premises Active Directory Domain Services (AD DS) environment. Deleting the computer object from the on-premises AD DS ensures that the computer object isn't resynced back to Microsoft Entra ID. After the computer object is deleted from the on-premises AD DS environment, no additional steps are necessary to remove the device from Intune and Windows Autopilot. Unneeded steps include manually deleting the device from Microsoft Entra ID. Manually deleting the device from Microsoft Entra ID might cause unexpected problems, issues, and behavior. If needed, the device will be automatically removed from Microsoft Entra ID after these steps are followed.
72+
> - For Microsoft Entra hybrid joined devices, delete the computer object from the on‑premises Active Directory Domain Services (AD DS) environment to prevent it from being resynced to Microsoft Entra ID. After this step, no additional actions are required in Intune or Windows Autopilot. Avoid manually deleting the device from Microsoft Entra ID.
73+
>
74+
> For information about what to expect in Microsoft Entra ID after deregistration, see [What happens to the Microsoft Entra device object after deregistration?](#what-happens-to-the-microsoft-entra-device-object-after-deregistration)
7375
74-
The above steps deregister the device from Windows Autopilot, unenroll the device from Intune, and disjoin the device from Microsoft Entra ID. It might appear that only deregistering the device from Windows Autopilot is needed. However, there are barriers in Intune that require all the above steps to avoid problems with lost or unrecoverable devices. To prevent the possibility of orphaned devices in the Windows Autopilot database, Intune, or Microsoft Entra ID, it's best to complete all the steps. If a device gets into an unrecoverable state, contact the appropriate [Microsoft support alias](../autopilot-support.md) for assistance.
76+
This process ensures that related records in Windows Autopilot, Intune, and Microsoft Entra ID are handled correctly. Skipping steps or removing records out of order can result in orphaned records or unrecoverable devices. If a device goes into an unrecoverable state, contact the appropriate [Microsoft support alias](../autopilot-support.md) for assistance.
77+
78+
### What happens to the Microsoft Entra device object after deregistration?
79+
80+
Deregistering a device from Windows Autopilot removes the device’s registration from the Windows Autopilot deployment service. However, this action doesn’t always remove the corresponding Microsoft Entra device object.
81+
82+
What happens in Microsoft Entra ID depends on the device’s join and enrollment state:
83+
84+
- **Devices that aren’t currently enrolled in MDM:** Removing the Windows Autopilot registration can also result in the associated Microsoft Entra device object being removed.
85+
- **Devices that are or were enrolled in MDM:** Removing the Windows Autopilot registration doesn’t automatically delete the Microsoft Entra device object. In this case, the device can remain in Microsoft Entra ID even though it’s no longer registered with Windows Autopilot.
86+
87+
Because this behavior varies, avoid manually deleting the device from Microsoft Entra ID unless a specific scenario requires it. The Windows Autopilot deployment process relies on the Microsoft Entra device object, and deleting it can cause enrollment failures.
7588

7689
### Deregister from Windows Autopilot using Microsoft 365 admin center
7790

intune/advanced-analytics/device-query-multiple-devices.md

Lines changed: 71 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
title: Device Query for Multiple Devices in Advanced Analytics
33
description: Use device query for multiple devices in Microsoft Intune to run Kusto Query Language (KQL) queries, analyze device inventory, and gain cross-platform insights.
4-
ms.date: 12/01/2025
4+
ms.date: 01/23/2026
55
ms.topic: how-to
66
---
77

@@ -70,7 +70,7 @@ Additional prerequisites for device query for multiple devices:
7070
1. Input a query in the query box using the supported properties and supported operators.
7171
1. Select **Run** to execute the query.
7272
1. Results are displayed in the **Results** tab area.
73-
- If you only want to run part of the query, or if you have multiple queries in the query window and only want to run one, you can highlight the query you want to run and select **Run**. Only that query is run.
73+
- To run part of a query or a single query when multiple queries are in the window, highlight the query you want to run and select **Run**. Only the highlighted query runs.
7474

7575
You can expand the view on the left side to see all the properties that can be queried. Select any one to populate into your query. You can select and drag the edges of both the left side and the query window to make any adjustments.
7676

@@ -87,50 +87,66 @@ To help you get started, some sample queries are provided in this section. To ac
8787

8888
### Top processors by Core Count
8989

90-
This query lists the top five CPUs sorted by core count.
90+
This query shows the top five CPUs by core count.
9191

9292
```kusto
93-
Cpu| project Device, ProcessorId, Model, Architecture, CpuStatus, ProcessorType, CoreCount, LogicalProcessorCount, Manufacturer, AddressWidth| order by CoreCount asc| take 5
93+
Cpu
94+
| project Device, ProcessorId, Model, Architecture, CpuStatus, ProcessorType, CoreCount, LogicalProcessorCount, Manufacturer, AddressWidth
95+
| order by CoreCount asc
96+
| take 5
9497
```
9598

9699
### Devices with unprotected disks
97100

98101
This query lists devices with unencrypted disks.
99102

100103
```kusto
101-
EncryptableVolume| where ProtectionStatus != "PROTECTED"| join LogicalDrive
104+
EncryptableVolume
105+
| where ProtectionStatus != "PROTECTED"
106+
| join LogicalDrive on Device
102107
```
103108

104109
### Arm64 devices
105110

106111
This query lists all devices with an ARM64 processor.
107112

108113
```kusto
109-
Cpu | where Architecture == "ARM64"
114+
Cpu
115+
| where Architecture == "ARM64"
110116
```
111117

112118
### Device count by processor architecture
113119

114120
This query provides a summary of devices by CPU architecture.
115121

116122
```kusto
117-
Cpu| summarize DeviceCount=count() by Architecture
123+
Cpu
124+
| summarize DeviceCount = count() by Architecture
118125
```
119126

120127
### Top devices by battery capacity
121128

122129
This query lists the top 10 devices by fully charged battery capacity.
123130

124131
```kusto
125-
Battery| project Device, InstanceName, Manufacturer, Model, SerialNumber, CycleCount, DesignedCapacity, FullChargedCapacity, FullChargedCapacityPercent = (FullChargedCapacity*100)/DesignedCapacity| top 10 by FullChargedCapacityPercent asc
132+
Battery
133+
| project Device, InstanceName, Manufacturer, Model, SerialNumber, CycleCount,
134+
DesignedCapacity,
135+
FullChargedCapacity,
136+
FullChargedCapacityPercent = (FullChargedCapacity * 100) / DesignedCapacity
137+
| top 10 by FullChargedCapacityPercent asc
126138
```
127139

128140
### Devices memory information
129141

130142
This query lists devices with physical and virtual memory in GB.
131143

132144
```kusto
133-
MemoryInfo| project Device, PhysicalMemoryGB = PhysicalMemoryTotalBytes/(1000*1000*1000), VirtualMemoryGB = VirtualMemoryTotalBytes/(1000*1000*1000) | order by PhysicalMemoryGB asc
145+
MemoryInfo
146+
| project Device,
147+
PhysicalMemoryGB = PhysicalMemoryTotalBytes/(1000*1000*1000),
148+
VirtualMemoryGB = VirtualMemoryTotalBytes/(1000*1000*1000)
149+
| order by PhysicalMemoryGB asc
134150
```
135151

136152
### Device count by OS version
@@ -165,17 +181,20 @@ Device query supports only a subset of the operators supported in the Kusto Quer
165181

166182
Table operators can be used to filter, summarize, and transform data streams. The following operators are supported:
167183

168-
| Table Operators | Description |
184+
| Table operator | Description |
169185
| --- | --- |
170186
| `count` | Returns a table with a single record containing the number of records. |
171-
| `distinct` | Produces a table with the distinct combination of the provided columns of the input table. |
172-
| `join` | Merge the rows of two tables to form a new table by matching row for the same device. Only the join types of `innerunique`, `Leftouter`, `Fullouter`, `Rightouter`, and inner are supported. If you type in a join type other than the ones supported, they're ignored. Join statements support `on` syntax if joined with `Device` or `Device.Deviceid`. Common syntax for join is LeftEntity \| join [hints] (RightEntity) on Conditions. For more info, see [Join](/kusto/query/join-operator) documentation.|
173-
| `order by` | Sort the rows of the input table into order by one or more columns. |
174-
| `project` | Select the columns to include, rename or drop, and insert new computed columns. |
175-
| `take` | Return up to the specified number of rows. |
187+
| `distinct` | Produces a table with distinct combinations of the provided columns from the input table. |
188+
| `join` | Merges rows from two tables to form a new table based on matching values in the specified columns. The following join types are supported:<br>- `innerunique` (default)<br>- `inner`<br>- `leftouter`<br>- `rightouter`<br>- `fullouter`<br>- `leftsemi`<br>- `rightsemi`<br>- `leftanti`<br>- `rightanti`<br><br>Join statements support an optional `on` clause. In device query scenarios, you typically use `on Device` when joining tables that contain a `Device` entity. Common syntax for `join` is: `LeftTable | join [hints] (RightTable) on Conditions`.<br><br> **Important:** Joins that use `on Device.DeviceID` are no longer supported. Queries that currently specify `on Device.DeviceId` should switch to using `on Device`, or omit the `on` clause when joining on the `Device` entity.<br><br>For more information, see [Join operator](/kusto/query/join-operator). |
189+
| `order by` | Sorts the rows of the input table by one or more columns. |
190+
| `project` | Selects columns to include, rename, or drop, and inserts new computed columns. |
191+
| `take` | Returns up to the specified number of rows. |
176192
| `top` | Returns the first N records sorted by the specified columns. |
177-
| `where` | Filter a table to the subset of rows that satisfy a predicate. |
178-
| `summarize` | produces a table that aggregates the contents of the input table. |
193+
| `where` | Filters a table to the subset of rows that satisfy a predicate. |
194+
| `summarize` | Produces a table that aggregates the contents of the input table. |
195+
196+
> [!NOTE]
197+
> `Device` is an entity-type and can't be used directly in operators that require scalar values (such as `distinct`, `summarize`, and `order by`). For these operators, use a specific scalar property of the device (for example, `Device.SerialNumber` or `Device.OSVersion`).
179198
180199
### Scalar operators
181200

@@ -297,60 +316,70 @@ Device query for multiple devices supports a linked entity. The Device entity ca
297316
| `LastSeenDateTime` | String | The date and time that the device last connected to Intune. |
298317
| `Ownership` | String | Ownership of the device. |
299318

300-
Device entity allows you to reference the device associated with a resulting row without needing to write a separate query to join them together. Essentially, it acts as an automatic join to include device information in your query results.
301319

302-
The device entity is automatically joined to every other entity for ease of use. The device entity is the first column in they query results, unless the query updates the return type through use of operators like a `project`, `summarize`, or `distinct`.
320+
The `Device` entity allows you to reference device information associated with each resulting row without needing to explicitly join to a device table.
321+
322+
By default, query results include a `Device` entity column that provides device context for each row. Operators such as `project`, `summarize`, or `distinct` can change which columns are returned.
323+
324+
`Device` represents the device associated with the resulting row and can be referenced directly as an entity-type column. When displayed in query results, the `Device` entity is shown using a friendly identifier, such as the device name, to make it easier to identify devices.
303325

304-
Using Device by itself in a query parses to `Device.DeviceId`. In the Device column returned by default, the DeviceId is translated to DeviceName to allow for easier identification of devices.
305-
The device entity and its properties can also be referenced in queries by referencing Device.[Insert property].
326+
You can reference properties of the `Device` entity in queries using `Device.[Property]`.
306327

307-
The following query returns all the DiskDrive information for all devices with serial number 123:
328+
The following query returns all `DiskDrive` information for devices with a specific serial number:
308329

309330
```kusto
310331
DiskDrive
311-
where Device.SerialNumber = 123
332+
| where Device.SerialNumber == "123"
312333
```
313334

314-
The following query projects the Device ID and Manufacturer properties of the entity DiskDrive:
335+
336+
The following query projects the `Device` entity and the `Manufacturer` property from the `DiskDrive` entity:
315337

316338
```kusto
317-
DiskDrive | project Device.DeviceId, Manufacturer
318-
```
319339
320-
Although the Device entity that is shown as the first column by default appears as device names using Device by itself in a query parses to Device.DeviceId.
321-
This query returns results ordered by the DeviceID, not by DeviceName:
340+
DiskDrive
341+
| project Device, Manufacturer
322342
323-
```kusto
324-
MemoryInfo | order by Device
325343
```
326344

327-
Similarly, this query returns no results unless the device ID is Desktop123. It doesn't query on device name:
345+
By default, query results include a `Device` entity that represents the device associated with each row. The `Device` entity is an entity-type column and does not implicitly resolve to a specific scalar property.
346+
When sorting or filtering results, explicitly reference the device property you want to use. For example, this query orders results by device name:
328347

329348
```kusto
330-
Cpu | where Device == "Desktop123"
349+
350+
MemoryInfo
351+
| order by Device.DeviceName
352+
331353
```
332354

333-
Use the following example to query on device name:
355+
Similarly, to filter by device name, reference the `DeviceName` property directly:
334356

335357
```kusto
336-
Cpu | where Device.DeviceName == 'Desktop123"
358+
359+
Cpu
360+
| where Device.DeviceName == "Desktop123"
361+
337362
```
338363

339364
## Known limitations
340365

341-
- Using the Device entity in aggregation functions shows a red underline. However, the query can still run and can return results as expected. For example, the following query shows a red underline under **Device** but still runs:
366+
367+
- Using entity-type columns such as `Device` in aggregation functions can show a red underline in the editor because aggregation functions require scalar values. To avoid this, reference a specific scalar property of the entity. For example:
342368

343369
```kusto
344-
Cpu | summarize max(Device) by Manufacturer.
370+
Cpu
371+
| summarize max(CpuUsage) by Device.Manufacturer
345372
```
346373

347-
- Queries with a join operator, $left and $right parameters show a red underline under $left and $right. However, the query can still run and returns results as expected.
348-
- A single query can contain a maximum of three join operators. Queries with more joins fail.
349-
- A max of ~50,000 records are returned for a query.
350-
- A maximum of 10 queries can be submitted per minute. Any other queries within the same minute fail.
374+
- Queries that use the `join` operator with `$left` and `$right` parameters may show a red underline in the editor. However, the query can still run and return results as expected.
375+
- A single query can contain a maximum of three `join` operators. Queries with more joins fail.
376+
- A maximum of ~50,000 records are returned for a query.
377+
- A maximum of 10 queries can be submitted per minute. Additional queries within the same minute fail.
351378
- A maximum of 1,000 queries can be submitted per month.
352-
- Negative values for the amounts parameter of the datetime_add() function aren't supported.
353-
- Referencing a variable that has been summarized by an aggregation function throws an error. Explicitly naming the variable allows the query to succeed again. For example, the query Device | summarize dcount(DeviceId) | order by dcount_DeviceId will fail. Device | summarize DCountDeviceIdRename=dcount(DeviceId) | order by DCountDeviceIdRename succeeds.
379+
- Negative values for the `amount` parameter of the `datetime_add()` function aren't supported.
380+
- Referencing a variable that was generated by an aggregation function without explicitly naming it can cause a query to fail. Explicitly naming the variable allows the query to succeed. For example:
381+
- The query `Device | summarize dcount(DeviceId) | order by dcount_DeviceId` fails.
382+
- The query `Device | summarize DCountDeviceIdRename = dcount(DeviceId) | order by DCountDeviceIdRename` succeeds.
354383

355384
<!--links-->
356385

intune/configmgr/cloud-attach/use-intune-rbac.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ The three high-level steps to configure Intune as the role-based access control
3030

3131
## Limitations
3232

33-
- Currently [scoping](../../intune-service/fundamentals/scope-tags.md) isn't supported when using only Intune role-based access control for for displaying and taking actions on tenant-attached devices from the Microsoft Intune admin center.
33+
- Currently [scoping](../../intune-service/fundamentals/scope-tags.md) isn't supported when using only Intune role-based access control for displaying and taking actions on tenant-attached devices from the Microsoft Intune admin center.
3434
- Currently, the [**Software updates** page](../tenant-attach/software-updates.md) isn't available for cloud-only users when using the early update ring of Configuration Manager version 2207. <!--15287859-->
3535

3636
## <a name="bkmk_disable-configmgr"></a> Disable enforcement of Configuration Manager role-based access control for cloud-attached clients

0 commit comments

Comments
 (0)